Buzz
When unexpected Amazon deliveries began arriving at Chris’s* Connecticut home last fall, he and his wife initially thought one of them was purchasing Christmas gifts for the other. However, the items inside the packages seemed far from the kind of presents either of them would want. "I opened several boxes addressed to me and discovered items I honestly couldn't recognize," he shared. "I still have no idea what they are."
There were no unauthorized orders in their Amazon Prime account. Upon reaching out to Amazon, they were advised to discard the items. In total, Chris received six packages, containing roughly 10 to 12 items. One item, which he showed me, was a heat-activated fan designed for a wood-burning stove, worth about $45 to $55 on Amazon. But Chris doesn’t own a wood-burning stove.
Eventually, Chris uncovered the source of the orders: they appeared on his credit card statement. Someone had stolen his credit card information and used it to make purchases, which were then shipped directly to him.
At first, it’s a scam that seems illogical. Why would someone steal your credit card details just to order items they can’t even use?
But the situation is a bit more complicated than that.
Chris explained that when he reached out to American Express, his credit card provider, they helped him piece together the situation: Scammers target old, expired credit card numbers and test them on Amazon to see if they are still valid. Gradually, they begin placing larger orders, send them to your address, and then use a porch pirate to grab the packages before you even notice.
While he doesn’t have definitive proof that the breach originated from his Amazon account, Chris did have outdated credit card information stored in it, which American Express advised him to remove.
"It’s a disturbingly clever crime," said consumer expert Clark Howard. Chris’s ordeal seems to be a more malicious take on a practice known as brushing. This occurs when third-party Amazon sellers ship their products to random people to artificially boost their ratings; these recipients can then leave a review for the "verified purchase." (For more on schemes that elevate third-party seller rankings on Amazon, tune in to Reply All’s episode “The Magic Store.”)
But this small-time scam doesn’t explain how Chris’s credit card number was stolen.
Imagine you’ve had an Amazon account for 10 years and during that time, you’ve added five or six different payment methods. Even if those cards are expired, they can still be used against you if your account gets compromised.
That’s because credit card companies aim to work well with their retail partners. If a retailer (like Amazon, for example) has an agreement with a card issuer (such as American Express) and is willing to shoulder the risk, “they can still process cards that are no longer officially valid,” Howard explained.
"The system is designed with the understanding that some fraud is inevitable," he said. But when you weigh that minor risk against the significant revenue a website can generate by allowing purchases from customers who haven’t updated their payment details, it’s easy to see why a retailer might accept the risk. The only merchants less likely to absorb that liability are electronics stores, Howard pointed out. However, "People committing online fraud generally know which retailers are willing to take on the risk, like Amazon, and which are not," Howard added.
Once a scammer finds a valid card, they place an order in your name and track its progress. As soon as it’s dropped on your doorstep, the scammer or one of their accomplices can casually walk by and grab it. It seems that Chris’s scammers weren’t very skilled—or perhaps they were just content with their initial small orders and moved on to bigger, more lucrative attempts using his credit card.
Just before Christmas, we managed to connect Chris with an Amazon team that promised to look into the matter, but they have yet to respond to follow-up messages after the holidays. An Amazon spokesperson stated via email, “We are investigating this customer’s inquiry regarding unsolicited packages, as this would breach our policies. We remove sellers who violate these policies, withhold payments, and cooperate with law enforcement to take appropriate action.”
In the meantime, Howard shared some advice for avoiding this situation.
Opt for a single credit card
First, he recommends selecting just one credit card for all of your online purchases. By keeping your transactions on a single card, it becomes easier to monitor your spending, and any unusual activity will stand out more clearly. While you may miss out on some rewards, Howard argues that the decreased risk of fraud by simplifying your purchases is worth the trade-off.
Next time you use that chosen card for an online purchase, be sure to remove all the other cards stored in your account.
Use disposable card numbers
Secondly, for extra caution, you may want to look into a service that generates one-time use credit card numbers every time you shop online. If the number is compromised, it will be useless to fraudsters after it’s been used once. Your bank or credit card issuer may refer to this as a “virtual card” or a “virtual card number.” While you might lose the convenience of having your payment details saved with the retailer, the added security it provides is worth it.
Consider home security measures
Lastly, consider installing a camera at your front door or wherever packages are left. You don’t need to invest in an expensive or intrusive smart doorbell; there are affordable security cameras, often under $50, that can help you capture evidence if a porch pirate is at work. This footage could assist law enforcement in catching criminals in your area.
If something feels off, report it immediately
If you think you’ve been targeted by a hacker sending gifts to your doorstep, it's essential to act swiftly. Howard cautions that if you notice suspicious account activity more than a week or two after it happens, proving that you’re not at fault and that it’s fraud could become difficult. "Many people never check their statements or don’t look at their electronic statements," he noted. Reach out to your card issuer and the retailer as soon as you spot something unusual.
Although American Express was unable to comment on Chris's specific case, a spokesperson issued a statement urging consumers to protect their financial data. "If you're ever unsure, you should contact your financial institution directly," the spokesperson said. "We will take immediate action if we confirm the situation is fraudulent."
Howard suggests starting an online chat with the retailer to report any mystery packages, creating a record of the conversation. The retailer might tell you to discard the items, as Amazon did with Chris, or it might request that you send the items back using a prepaid return label.
Once you've taken care of the immediate issue, don’t let your guard down. "Once you’re a target, it's likely not the last time they’ll try to exploit you," Howard warned. The methods scammers use to infiltrate our financial lives continue to evolve.
"It will keep evolving," he said. "Criminals are always looking for new vulnerabilities in our personal behaviors or corporate systems." The best advice six months from now might be entirely different, as scammers adapt and exploit new weaknesses. "People won’t pay attention until something happens to them."
*Name has been altered to protect privacy.
